Date: Tue, 15 Apr 2025 12:26:35 GMT From: Kristof Provost <kp@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: 1463d5ff1316 - stable/14 - if_ovpn: fix use-after-free of mbuf Message-ID: <202504151226.53FCQZJ9040985@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch stable/14 has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=1463d5ff13164362f0825c4613dcb4eb42a7396c commit 1463d5ff13164362f0825c4613dcb4eb42a7396c Author: Kristof Provost <kp@FreeBSD.org> AuthorDate: 2025-04-01 13:19:26 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2025-04-15 07:27:09 +0000 if_ovpn: fix use-after-free of mbuf m_unshare() can return a new mbuf pointer. We update the 'm' pointer in ovpn_udp_input(), but if we decide to pass on the packet (e.g. because it's for an unknown peer) the caller (udp_append()) continues with the old 'm' pointer, eventually resulting in a use-after-free. Re-order operations in ovpn_udp_input() so that we don't modify the 'm' pointer until we're committed to keeping the packet. PR: 283426 Test case by: takahiro.kurosawa@gmail.com MFC after: 2 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") (cherry picked from commit 04a7134c1e92c7752ffdc665f99ae26db70866c0) --- sys/net/if_ovpn.c | 12 +++--- tests/sys/net/if_ovpn/if_ovpn.sh | 81 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 87 insertions(+), 6 deletions(-) diff --git a/sys/net/if_ovpn.c b/sys/net/if_ovpn.c index 6309d1f365cf..879cc0636db7 100644 --- a/sys/net/if_ovpn.c +++ b/sys/net/if_ovpn.c @@ -2255,12 +2255,6 @@ ovpn_udp_input(struct mbuf *m, int off, struct inpcb *inp, M_ASSERTPKTHDR(m); - m = m_unshare(m, M_NOWAIT); - if (m == NULL) { - OVPN_COUNTER_ADD(sc, nomem_data_pkts_in, 1); - return (true); - } - OVPN_COUNTER_ADD(sc, transport_bytes_received, m->m_pkthdr.len - off); ohdrlen = sizeof(*ohdr) - sizeof(ohdr->auth_tag); @@ -2288,6 +2282,12 @@ ovpn_udp_input(struct mbuf *m, int off, struct inpcb *inp, return (false); } + m = m_unshare(m, M_NOWAIT); + if (m == NULL) { + OVPN_COUNTER_ADD(sc, nomem_data_pkts_in, 1); + return (true); + } + m = m_pullup(m, off + sizeof(*uhdr) + ohdrlen); if (m == NULL) { OVPN_RUNLOCK(sc); diff --git a/tests/sys/net/if_ovpn/if_ovpn.sh b/tests/sys/net/if_ovpn/if_ovpn.sh index 3623f57115ac..b0967c992b5d 100644 --- a/tests/sys/net/if_ovpn/if_ovpn.sh +++ b/tests/sys/net/if_ovpn/if_ovpn.sh @@ -106,6 +106,86 @@ atf_test_case "4in4" "cleanup" ovpn_cleanup } +atf_test_case "bz283426" "cleanup" +bz283426_head() +{ + atf_set descr 'FreeBSD Bugzilla 283426' + atf_set require.user root + atf_set require.progs openvpn python3 +} + +bz283426_body() +{ + ovpn_init + + l=$(vnet_mkepair) + + vnet_mkjail a ${l}a + jexec a ifconfig ${l}a 192.0.2.1/24 up + vnet_mkjail b ${l}b + jexec b ifconfig ${l}b 192.0.2.2/24 up + + # Sanity check + atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2 + + ovpn_start a " + dev ovpn0 + dev-type tun + proto udp4 + + cipher AES-256-GCM + auth SHA256 + + bind 0.0.0.0:1194 + server 198.51.100.0 255.255.255.0 + ca $(atf_get_srcdir)/ca.crt + cert $(atf_get_srcdir)/server.crt + key $(atf_get_srcdir)/server.key + dh $(atf_get_srcdir)/dh.pem + + mode server + script-security 2 + auth-user-pass-verify /usr/bin/true via-env + topology subnet + + keepalive 100 600 + " + ovpn_start b " + dev tun0 + dev-type tun + + client + + remote 192.0.2.1 + auth-user-pass $(atf_get_srcdir)/user.pass + + ca $(atf_get_srcdir)/ca.crt + cert $(atf_get_srcdir)/client.crt + key $(atf_get_srcdir)/client.key + dh $(atf_get_srcdir)/dh.pem + + keepalive 100 600 + " + + # Give the tunnel time to come up + sleep 10 + + atf_check -s exit:0 -o ignore jexec b ping -c 1 198.51.100.1 + + # Send a broadcast packet in the outer link. + echo "import socket as sk +s = sk.socket(sk.AF_INET, sk.SOCK_DGRAM) +s.setsockopt(sk.SOL_SOCKET, sk.SO_BROADCAST, 1) +s.sendto(b'x' * 1000, ('192.0.2.255', 1194))" | jexec b python3 + + atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1 +} + +bz283426_cleanup() +{ + ovpn_cleanup +} + atf_test_case "4mapped" "cleanup" 4mapped_head() { @@ -1033,6 +1113,7 @@ gcm_128_cleanup() atf_init_test_cases() { atf_add_test_case "4in4" + atf_add_test_case "bz283426" atf_add_test_case "4mapped" atf_add_test_case "6in4" atf_add_test_case "6in6"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202504151226.53FCQZJ9040985>